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Long-Term Sessions: What they are 

How to Differentiate 

ackack: A Proof of Concept 

Fun Games the Whole 
IEEE 802 Family can Play 
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Wholepoint,200l 










or, how 1 ARP Poisoned my 20's 










Internal network security (huh?) 
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Mirage Networks 

From the mind of Gartner sprang NAC 
Combined pre- and post-admission, full cycle 
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Trustwave SpiderLabs 

Bought Mirage, and me 

1 bugged Nick until he let me in 
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Long-term Sessions 



So what? 
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Long-Term Sessions 


You Don 


'tWant 
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Bind shells 
Sniffers 
Remote Control 
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Virtual Reality connection 
into your mainframe that 
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allows the kid you fired last 
month to meet up with his 
malware and show it how to 
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exploit a timing flaw in the 














MCP, 1 mean kernel 
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Long-Term Sessions You Might Want 



Instant Messaging 
Large File Downloads 
Streaming Media 
Rich Web Apps (Comet) 
Multi-User Dungeon 
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But How Do You Tell the Difference? 

Differentiating Sessions 
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"In just one decade, the Web has evolved from being a repository of pages used primarily for 
accessing static, mostly scientific, information to a powerful platform for application 
development and deployment." 

M.Jazayeri,2007 

Future of Software Engineering 

IEEE Digital Library 

"After more than four years during which peer-to-peer (P2P) applications have 
overwhelmingly consumed the largest percentage of bandwidth on the network, HTTP (Web) 
traffic has overtaken P2P and continues to grow. Presently, as a result of streaming audio and 
video in Web downloads, HTTP is approximately 46% of all traffic on the network. P2P 
continues as a strong second place at 37% of total traffic. 

Ellacoya (now Arbor Networks), 2007 
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• Majority of Web sessions are terminated within short 
duration 

Session established, data transferred, session closed 
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l~TP Sessio 
















START 








TCP SY 






























User 
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www 






TCP SYN+ACK 




tc:pac:k 




HTTP GET 




HTTP OK 




TCP FIN 
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Definition of long-term session:"Duration" 

Could be different for each scenario 

• Web servers ~ 5 minutes 

• File servers ~ I hour 

• From Internal to Internet server ~ 10 minutes 

Helps with signal-to-noise ratio 

Session Source - who started it? 

Each session needs to be broken down into "Server" and "Source" 
Normal source: internal user PC's 
Not-so-normal source: your web server... 
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Definition of long-term session:"Duration" 

Could be different for each scenario 

• Web servers ~ 5 minutes 

• File servers ~ I hour 

• From Internal to Internet server ~ 10 minutes 

Helps with signal-to-noise ratio 

Session Source - who started it? 

Each session needs to be broken down into^ "\and "Source" 

SrtOITS' 
Normal source: internal user PC's 

Not-so-normal source: your web server... 
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** Whitelists 
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Need to define "OK" long-term sessions 
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Common for internal user PC's 
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Instant Messaging 
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Comet web apps 










Loose term to describe new ways to do long-term web apps 










Some use long-term sessions 










Some use long-polling, unique hybrid approach 
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Whitelisting apps can be challenging 

IM, Comet apps don't use one server, they use clusters 
IP addresses may change between sessions 
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Proof of Concept 
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Network Sniffer 

Detects new and existing 
sessions 

Allows creation of Policies 
using Duration and Source 
criteria 

Groups hosts by IP subnet, range, or WHOIS query 

It calls you "Commander" 
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Source Detection 
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Who started it? 










Only needed for existing sessions (ack, ack) 










Source: initiator of the session 










Server: um, the server 










Port guessing 

Lower port is the server 










Actually works most of the time 
Gets confused on P2P 










Good last resort 
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Port List 

Checks specific list of ports for server 

Ports listed in precedence order in case of double-match 
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Still might miss out on P2P, ports picked somewhat at 
random 
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Source Detection 



-«^^*-^^m« 



Port Validation 

Connects to each port (low-to-high order), uses first SYN+ACK as 
server 

Pretty darn reliable 

Adds one packet on the wire for each session guess 




Session 



Local 



Remote 



Port 52909 



Port 4444 
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Used to classify hosts, networks 

Important for White listing 

"Local PC's can create long-term sessions with AOL IM servers, alert on 
anything else" 

WHOIS used to include large networks 

Q: How do you enumerate AIM servers? 

A: Watch network traffic, use WHOIS feature of ackack to use the net 
block that contains that IP 

Q:AOL is an ISP - did I just allow my network to get hacked by AOL 
users? 

A: Generally speaking, net blocks that support apps such as 
AIM do not intermingle with IP's given to users. 

Do your own WHOIS query for more info about 
business unit associated with IP before plugging into 
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Define "interesting" 
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Format: 

Source: {Server: Duration, Server: Duration ...} 
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For each Source, sessions with these Servers for this 
Duration should generate alerts 
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Source and Server are both Groups 






• 


Use"X" to specify "undefined" 
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Usage Examples 

What do I do with it? 
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Can be used to watch network for abnormal sessions 

Connect to mirror port, monitor session, network tap, etc. 
for more visibility 

Proof-of-concept code, please send performance numbers © 

Uses a really cool C event loop (EV), but it's slacker Perl code 
nonetheless 

Packet drops reported by Session Manager 

Use Policies, Groups to report interesting sessions 

As valid sessions are discovered, tweak policy and repeat 
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• Goals 








Servers 








Alert each time a session is established for more than 5 minutes 






• Alert each time a Server initiates a session 








Inside 








• Alert when a session is established more than 10 minutes 








• Exclude sessions with AIM 








• Groups 








- Servers: 1 69.254.20.5- 1 69.254.20. 1 








- Inside: 1 92. 1 68. 1 .0/24 
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group.yml 



Inside: 

- 192.168.1.0/24 
Servers : 

- 169.254.20.5-169.254.20.10 
# WHOIS queries 

AIM: 

- (64.12.24.218) 

- (205.188.248.151) 
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pollcy.yml 

# Alert when somebody inside opens session with unknown host 

# more than 10 mins 
Inside: {X: 10} 

# Alert when unknown host opens session with server > 5 mins 
X: {Servers: 5} 

# Servers shouldn't initiate sessions 

# It smells of sploits 
Servers: {X: 0, AIM: 0} 
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As a pentesting tool 
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It's a sniffer, can be used with ettercap, etc. 










ARP Poison and run to see sessions 
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Set "report_all" to 1 in config.yml 

Shows all connections, not just alerts 
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Look for connections being made to the PCI zone, 
alerts 


setup 
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Use Groups to organize Source and Servers 
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vT Example Groups 








group.yml 








PCI: 








- 10.10.1.0/24 








- 10.10.2.1-10.10.2.10 








Local: 








- 192.168.1.100-192.168.1.254 








# These are just labels for visual cues 








Printers: 








- 192.168.1.10-192.168.1.20 




! 




Mail: 








- 192.168.1.5 
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pollcy.yml 

# Alert when Local talks to PCI environment 
# 

# Also when Local makes long-term connection to outside 

# Might be interesting IM, webmail, or something 

# (Or someone's already been here!) 
Local: {PCI: 0, X: 10} 

# This would be wrongish 
PCI: {Local: 0} 
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#** Notes / Bugs / Excuses 
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• It's Perl, but there are PAR binaries in bin/ for Win32, Linux, 






MacOS 








Should work on other platforms if you can compile modules 








Most exotic is EV, used by AnyEvent for event loop 








• Groups shouldn't overlap yet 








Hash order is like a box of chocolates... 








• Source guessing in place, validation is soon 








Lowest port is server, might suck at P2P 








• 1 was drunk about 50% of the time 
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Did 1 run over? 

Thanks guys 

Steve Ocepek 
glassjoe(5)fastmail.net 










socepek(Q)trustwave.com 
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http://www.trustwave.com/spiderlabs 
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